Google’s Threat Intelligence Group published findings disclosing a China-linked espionage operation designated UNC6508 that maintained persistent, undetected access inside North American medical and military research organizations for more than two years. The group sustained its intrusion almost entirely through native Google Workspace features — specifically, content compliance rules that silently forwarded copies of all matching emails to an attacker-controlled Gmail account — without dropping any malware on endpoints.
How UNC6508 Achieved and Maintained Access Without Touching Endpoints
Initial access was achieved via compromised credentials. Once inside Google Workspace, UNC6508 created content compliance rules under Admin Console → Apps → Google Workspace → Gmail → Compliance — the same configuration panel IT administrators use for legal hold and data-loss-prevention purposes. These rules are invisible to end users, rarely audited, and persist across password resets because they are tied to the organizational unit rather than individual accounts. The targeted organizations did not detect the unauthorized rules for over 24 months.
No malware was dropped on endpoints during the email-exfiltration phase. The campaign relied on living-off-the-land techniques within the cloud productivity suite, making traditional endpoint detection and response tools blind to the activity.
Why Compliance Rules Are an Ideal Long-Term Exfiltration Channel
The compliance rule UNC6508 created automatically forwarded matching emails to a Gmail address the attackers controlled. Google has since disabled the forwarding destination.
Because the compliance rule operated entirely within Google’s own infrastructure, it did not initiate outbound connections from the victim organization’s network, did not install software on endpoints, and did not appear in file transfer logs. An attacker who inserts a compliance rule can receive copies of every matching email indefinitely without generating a network alert, a file transfer log entry, or an endpoint detection event.
REDCap as a Lateral Movement Staging Point
In parallel with the email forwarding, UNC6508 used REDCap — a widely deployed clinical research database platform used by hundreds of academic medical centers — as a lateral movement staging point. Investigators found evidence that the group harvested API tokens stored in REDCap project metadata, which were subsequently used to exfiltrate structured clinical trial data including participant demographics, biomarker readings, and trial-arm assignments.
REDCap’s role in this campaign is a novel tactic not previously documented in public threat intelligence. The platform is specifically designed for sensitive biomedical research data and carries a security expectation commensurate with the data it holds. By targeting API tokens stored within the platform’s own project metadata, UNC6508 gained access to structured clinical data without needing to exploit a software vulnerability in REDCap itself.
UNC6508 Targeted Medical Research and Military Procurement Organizations
Targeted organizations operated in the medical research and military procurement sectors in North America — sectors whose data holdings are consistent with PRC strategic intelligence collection priorities.
Google’s Response and Detection Guidance
Google TIG attributed the campaign to UNC6508 with moderate-high confidence based on infrastructure overlaps with previously tracked China-nexus intrusion sets and victimology consistent with PRC strategic collection priorities. Google has notified affected customers and pushed detection logic for anomalous compliance-rule creation into Google Workspace’s Alert Center.
Organizations running Google Workspace should audit Admin Console → Gmail → Compliance → Content compliance rules for any forwarding destinations that cannot be traced to an authorized administrator action. Organizations using REDCap should review API token logs for anomalous access patterns. Any compliance rule forwarding email to an external address requires immediate investigation.
